NSA identifies top 25 programming errors - Network World

Description

NSA identifies top 25 programming errors

The critical importance of integrating security into programming is obvious to anyone who thinks about it, and it has been the subject of countless minatory or sometimes pleading articles. Google "secure programming" as one example of appropriate keywords and you’ll find nearly a million hits.

Back in 2001, I wrote five columns on the subject which I later collected and updated as the short paper “Programming for Security” that’s currently on my Web site.

Now the National Security Agency, working with MITRE Corp. SANS , and dozens of industry experts from many other organizations, has published a valuable list of the top 25 most dangerous programming errors . The best description of the project that I have found is the SANS Institute report . SANS provides a detailed summary of the issues, including this introduction:

"Today [January 12, 2009] in Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

"The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

SANS provides a list of the errors with ...

Original URL

http://www.networkworld.com/newsletters/sec/2009/020909sec2.html?nlhtsecstrat=ts_021209&nladname=021209securitystrategiesal

http://www.networkworld.com/newsletters/sec/2009/020909sec2.html?nlhtsecstrat=ts_021209&nladname=021209securitystrategiesal